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(57) ABSTRACT 

A system and method are provided for an information 
management system (IMS) having an underlying relational 
database management system (RDBMS) that allows appli- 
cations to access the RDBMS directly for improved perfor- 
mance without going through the IMS, while maintaining 
access control. An access control list (ACL) is generated, 
with tables in the RDBMS being bound using codes in the 
ACL. At run time or, more preferably, pre-run time, user- 
defined functions (UDF) evaluate access control attributes 
and generate an access authorization table, which is joined 
with the appropriate information table(s) in response to a 
query against a view on the table. The view is presented to 
the querying user. Thus, access control rules are encapsu- 
lated in the view that is presented to the user. 
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SYSTEM AND METHOD FOR RDBMS TO agement system (IMS) for an application directly 

PROTECT RECORDS IN ACCORDANCE communicating with a relational database management sys- 

WITH NON-RDBMS ACCESS CONTROL tem (RDBMS) associated with the IMS. The program prod- 

RULES uct includes computer readable code means for binding at 

5 least one RDBMS table using one or more access control list 
(ACL) codes representing the high level access control rules. 
FIELD OF THE INVENTION Also, the logic includes computer readable code means for 

issuing a query from the application against an RDBMS 
The present invention relates to methods and systems for view, and computer readable code means return the result of 
allowing applications to directly access a relational database 1Q the query against the view. 

while protecting records in the database. in another aspect, a data system includes a server com- 

„ _ puter programmed to undertake method acts for responding 

BACKGROUND OF THE INVENTION to user queries for data from a database controlled by the 

Information management systems (IMS) typically use a server computer. "H* method acts undertaken by the server 
relational database management system (RDBMS) to man- is com P uter mclude receiving a query, and receiving an access 
age data records in a database. As an example, an IMS might control out pnt from at least one algorithm. In response to the 
manage document data, with the desire that some documents query and lhe acccss contro1 out P ut > ihe computer populates 
can be read by all users but only written to by a few. Many a view for Presentation thereof to the user. Thus, the view 
other high-level access rules can be enforced by the IMS. In encapsulates the access control rules, 
any case, when a user wants to access the records of a 20 ^ e s y slem can include a database management system 
document in the RDBMS, the user is routed through the IMS (DBMS), and the application directly communicates with 
to first check for access control. the DBMS. In a particularly preferred embodiment, the 

The documents themselves are broken down into records method executed b y computer includes defining at least 
of various formats by the IMS and the records are stored in ° ne V1CW on at least one table m me database > and executing 
tabular form in the RDBMS, which can efficiently manage 25 a query against the view using at least the access control 
the records for querying using a language known as SQL. 0UlpUt ' J 06 resuIts of the WW a S ainst the view are lhen 
Only the IMS knows the high level access control rules. reU ""ned. 

User applications must access the RDBMS indirectly, ^ xi f ? rtn m detail ^low, the access control output 
through the IMS, to ensure integrity and protection of data' preferably is represented by at least one Access Authoriza- 

Unfortunately, as recognized herein requiring applica- 30 f ?JS^ 
tions to access data indirectly, i.e., through the IMS, slows the ^ a ? d 1 the mf ° rn ? aUon ™ e ta ^s a re joined 
down performance. As stated above, however, with the USmg f J TJf£ and the J oia ke X * a t least one access 
current state of the art, applications cannot be permitted to T ^ info ™J^ to the ^ With 

access the RDBMS directly because this would bypass the ' T ' P ^formation table can be 

access control functions of the IMS. Moreover, the present 35 ^ ™V CC ?' C mu l U P le °° n ^ or all rows 
invention recognizes that RDBMS manage low level access ° f the l ^ ormatK > n table can be b™nd to a single set of 
protection for sets of homogeneously structured records, and °°° " 

not for individual entities. The IMS must enforce access another aspect, a method is disclosed for enforcing at 

protection rules at the entity (document) level least one access c 01111 * 01 nile in a data system including at 

As also recognized herein, some new applications, such as 40 IT™™ information 
e^mmerceapphcations, require heretofore unusud 217^ 

the database context, namely, distribution rules (as opposed ?" u a ? ""SEXi 

to access rules) that are related to content licensing^These S^^^Sht * ° BMS 

licensing rules can and do change over time, so thft a data I" ™ P ™% ° t ^caUon wx^the view encap- 
system's protection rules advanUgeously should be exten- 45 *1 6 a ccess control rule. The view is then 
sible. IHe present invention resizes" that it would be E ™ " COmmunicatlOD P ath t0 tbe 

desirable lo allow a user to access an RDBMS directly, , ,'.„ .. . , , 

without first going through an IMS, while maintaining IMS • }° StU ? aDOther 3 Syste ° '° clud f s at least one 

access control and without requiring reengineering of the mfonnatl0n management system (IMS), at least one appli- 
RDBMS to account for extenslns of access control. 50 " U °? «™"™«««« with the IMS, and at least one rela- 

tional database management system (RDBMS) communi- 
SUMMARY OF THE INVENTION ca . tm 8 witn tDe IMS - The application communicates directly 

_ . . . , with the RDBMS via at least one direct communication path 

lhe invention is a general purpose computer programmed that does not include the IMS 
ESSE the inventive steps herein. The invention can 5 s In yet another aspect, a method is disclosed for enforcing 
ako be embodied as an article of manufacture-a machine high , evel access control rules of an information manage 
S'^, 15 us f d p a dl 8> ,al apparatus men , systenl 0MS) for an application directly communicat- 

^.Hf H-°?5 S 8 Pr °^ am ° f MSlrUCtlons ' hat ing with a relational database management system 
are executable by the digital processing apparatus to under- (RDBMS) that is associated with the IMS. The method 

ScS^ch 56 mVenU0n ' ™? mvenh0 ° is r hZ6d ^ " 60 includes P fovidin 8 a « least ™ access authorization tabk 
critical machme component that causes a digital processmg (AAT). The AAT contains data representing high level 
apparatus to perform the inventive method steps herein. The access control rules. Also, the method includes providing at 
m vention K a^acomputer-.m P lemen.edmethodforunder- , east one information ^ m mc RDBMS, andk response 
taking the acts disclosed below. to a query for data &om ^ application> ^ ^ fc * 

Accordmgly, a computer program product includes com- 65 with at least one information table to return a result in 
puter usable code means programmed with logic for enforc- accordance with at least one of the high level access control 
ing high level access control rules of an information man- rules. 
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In another aspect, a data system includes a server com- programming interfaces (API). The IMS 20 communicates 

puter programmed to undertake method acts for responding with a relational database system (RDBMS) 24, such as the 

to user queries for data from a database controlled by the present assignee's DB2, that stores records of documents 

server computer. The method acts undertaken by the server managed by the IMS 20, with the IMS 20 enforcing high 

computer include storing the database in a second system, 5 level access control rules pertaining to the application 14 

such as but not limited to a DBMS and more particularly a vis-a-vis the records of the RDBMS 24. Each IMS document 

RDBMS, and maintaining access control specifications that consists of a root record, which is a row in a root table, and 

restrict access to data. The methods acts also include allow- optionally some number of dependent records, which are 

ing a user to access data directly through the second system, rows in certain dependent tables. The way the system 10 

and in response to the direct access by the user, causing the ao achieves this enforcement, which is the subject of the 

second system to enforce the access control specifications present invention, enables the application 14 to issue queries 

without intervention from the data system. and otherwise to communicate, via a direct communication 

In a preferred implementation of this aspect, the user is an P al h 26, directly with the RDBMS 24 using SQL (or other 
application. In one preferred embodiment the data system DBMS query language) without the direct communication 
supports a data model that is different from a data model 15 P at & 26 going through the IMS while nevertheless main- 
supported by the second system, whereby the access control taining access control. One or both of the IMS 20 and 
specifications are not directly enforceable by a native access RDBMS 24 can be hosted on a server computer 28, or each 
control capability of the second system. can have its own associated computer. 

As set forth in further detail below, the access control As intended herein, either or both of the user computer 
specifications preferably are stored in at least a first table in 20 12/server computer 28 can be a server computer made by 
the RDBMS, and a RDBMS view is generated by joining a International Business Machines Corporation (IBM) of 
data table with the first table. The view can be used by the Armonk, N.Y. Other digital processors, however, may be 
user for directly accessing data. Preferably, the view used, such as personal computers, laptop computers, main- 
includes at least one UDF on the first table, with the UDF frame computers, palmtop computers, personal assistants, or 
implementing the data system's access control model. The 25 any other suitable processing apparatus can be used, 
view can be created when the data table is created. In any case, the processor of the computers access appro- 
Moreover, resolutions of the access control specifications priate software to undertake the logic of the present 
can be computed using the data system's access control invention, which may be executed by a processor as a series 
model and stored in an access authorization table (AAT) in of computer-executable instructions. The instructions may 
the RDBMS. Thus, in a particularly preferred embodiment 30 be contained on a data storage device with a computer 
the RDBMS view is a join between a data table and the AAT, readable medium, such as a computer diskette having a 
for use of the view by a user for direct access to data. computer usable medium with a program of instructions 
The details of the present invention, both as to its structure stored thereon. Or, the instructions may be stored on random 
and operation, can best be understood in reference to the 35 access memory (RAM) of the computer, on a DASD array, 
accompanying drawings, in which like reference numerals or on magnetic tape, conventional hard disk drive, electronic 
refer to like parts, and in which: read-only memory, optical storage device, or other appro- 

_ priate data storage device. In an illustrative embodiment of 

BRIEF DESCRIPTION OF THE DRAWINGS the invention, the computer^xecutable taLSta. mty £ 

FIG. 1 is a block diagram of the present system; 40 ^ aQS of C or C++ or Java code - 

FIG. 2 is a schematic representation of the data structure Indeed, the flow charts herein illustrate the structure of the 

of an access control list (ACL); lo S ic of tne present invention as embodied in computer 

FIG. 3 is a flow chart of the logic for generating a global %T.T T^u' ™ ^ "* ^ a PP reciate 

RDBMS view embodying access control rules; thal the fl T < ? arts muStrate tbe structures of computer 

Tjifi a • a - , , . „ . 45 program code elements including logic circuits on an inte- 

unSL t^ gratCd ^ that a ~ ord ^ t0 this iQventi0 - 

updaung the Access Authorization Table; Manifestly, the invention is practiced in its essential embodi- 

HO. 5 is a schematic diagram of an information table ment by a machine component that renders the program 

being joined with an ACL table; and code elements in a form that instructs a digital processing 

FIG. 6 is a flow chart of the logic for executing a query 50 apparatus (that is, a computer) to perform a sequence of 

using the present system. function steps corresponding to those shown. 

DETAILED DESCRIPTION OF THE FIG * 2 scnematicall y shows root information entities 30 

PREFERRED EMBODIMENT that inclu(te res P ective access control list (ACL) codes 32 

and respective owner fields 34. The owner field is needed 

Referring initially to FIG. 1, a system is shown, generally 55 only if each information entity has a distinct owner. Each 
designated 10, that includes at least one user computer 12 root record 30 might have further dependent entities which, 
having a software-implemented application 14 that gener- like the root record, have entity identifications. The owner 
ates queries. Input to the user computer 12 is via one or more field 32 can specify one or more owners or it can be null. If 
input devices 16, and query results can be output on an owner privilege is enabled, the owner of an entity can 
output device 18. The input device 16 can be any suitable 60 perform all legitimate operations on an entity he owns, 
device, such as a keyboard, keypad, mouse, joystick, Alternatively, table-level access control, instead of entity- 
trackball, voice-recognition software, and so on. The output level, can be established by ignoring the ACL codes 32 in 
device 18 can be a monitor, a speaker, another computer or each entity and associating the entire information table with 
computer network, a printer, and so on. a single ACL code that is recorded in an RDBMS system 

As shown in FIG. 1, the user computer 12 communicates 65 taD l e - 

with an information management system (IMS) 20 via an In any case, the user defines which ACL codes pertain to 

IMS communication path 22 using high-level application which entities, with the ACL codes 32 being associated with 
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the row (or table) defined by the user. The user can change FIG. 4 shows the logic for defining, updating, and deleting 
or delete access control rules, and when this occurs the ACL access control rules. At block 58 the definition/update/ 

codes 32 of the information tables are changed accordingly. deletion is received by the IMS 20, and the below-described 

Thus, as intended by the present invention, when entity-level corresponding system tables pertaining to the access control 

access control is established the entities 30 are bound by 5 rule involved at block 58 are changed accordingly at block 

means of the ACL codes 32 to access control rules embodied 60. In the preferred embodiment, the logic continues to 

in an access control table, generally designated 36. block 62 to undertake certain precomputing, namely, the 

Specifically, the access control table 36 includes plural rows, generation/modification of the AAT, which is essentially a 

each having an ACL code field 38 that, along with the ACL combination of the various system tables related to access 

code 32 in the entities 30, is the binding key. Also, each ACL 10 control and modified at block 60. 

code field 38 has an associated ACL attribute 40 that in one Accordingly, at block 62 an algorithm that implements the 

preferred embodiment includes a user attribute 42, a privi- IMS > S high . level access conlrol model h ap £ lied t0 the 

leges attribute 44 and a conditions attribute 46. If desired, below-described system tables to render or update the AAT. 

a description field 48 can be provided to describe the ACL when the step at block 62 is precomputed, the algorithm can 

rules embodied in the ACL attribute 40. 35 be a UDF associated with the RDBMS, or it can be an 

The user attribute 42 specifies the user to which the algorithm that is resident in and executed by the IMS 20. In 

privileges attribute 44 and conditions attribute 46 pertain. It contrast, if precomputing is not used and the step at block 62 

can represent a single user by identification, or a group of is executed at query time, a UDF must be used to evaluate 

nZv^ gr0U V D - ?S atlri ^ 42 be ™ FIG. 5 illustrates the above-mentioned system tables that 

qualified i.e., it can be evaluated for users belonging to a 20 ^ {Q ^ m ^ 7 

specie department, acting in a certain role, possessing a therefrom . A user ta51e> a ^ {M aQ ^ 

particular certificate holding a certain content subscription, ta51Cj a mmgm taWe , and an ^ } 

orperformmgaprede^^ table are shown in FIG 5 Dependi 0 ^ 

lected sum of money). It wd I be ; appreciated that in evalu- ^mentation, there may be additional tab es T^e user 

rUDF? mSf ' 3 T*?Z 6 taWe and USCr ^ble essentially embody a se of u* 

(UDF) might access one or more auxiliary tables or even attributes 42 (FIa 2)> while the 0 £ eration \ M 

interact with a system external to the system 10. permissible options and, thus, «nMly cmb^ (SS 

On the other hand, the privileges attribute 44 specifies the proper processing) the privileges attributes 44 (FIG 2) The 

operations that the user associated with the user attribute 42 condition table embodies the conditions attribute 46 and the 
is allowed to perform. To support licensing rules as might be 30 ACL table embodies the binding between these and other 

required in e-commerce, operations that are not supported by tables 

r!^f t m 10 - C T bC - n K Uded 38 W K L ° De Preferr t d W3y l ° M described above ™ relati °° «° Wock 62 of FIG. 4, the 

represent a privilege is by using a b.t vector, in which each lccess cxmtrol attributes embodied in the user table user 

alowedTSt aD ° PeraUOn ° f 3 "* ° f OPeratiODS " 35 8 roU " table ' °P era,ions labk > c ° n <«»°" table, and ACL iZl 

are evaluated in accordance with the high-level access 

In contrast, the conditions attribute 46 represents whether control model to render a single Access Authorization table 

certain optional conditions apply to the privileges repre- Accordingly, the Access Authorization table represents 

sented by the privileges attribute 44. Examples of conditions access control rules, namely, user, privilege, and condition 

include temporal conditions (e.g., the privileges can be attributes shown in FIG 2 

exercised only during a predetermined period), environment It may now ^ ^nhcr appreciated in light of the above 

i^F^^M °f y / r0m a COrP ° rate disd0SUre how the applicabk access control rules are folded 

can ac™ into the view that is presented by the RDBMS directly to the 

, /• application at query time. Referring to FIG. 6, at block 64 a 
In accordance with the present invention, the values in the 45 user such as the application 14 of FIG. 1 accesses the 

ACL attribute 40 are interpreted, using SQL, by respective RDBMS 24 via the direct access path 26 and issues a query 

user-defined functions (UDFs). Given a user, a user's state, against the view created at block 54 of FIG. 3 Moving to 

an operation requested by the user on a target entity 30, and block 66 of FIG. 6, the RDBMS 24 converts the query to a 

a system state, an ACL attribute value can be evaluated to query against the relevant information table(s) and the AAT 

either "allow" or "disallow" with respect to the requested 50 which query is evaluated and the AAT table joined to the 

operation. Thus, the access protection rules are encapsulated information table(s) to populate the view at block 68 The 

m .„ attribute 40. With this in mind, the skilled artisan query results are then returned to the user via the direct 

will recognize that advantageously, both the ACL attribute access path 26 

Xe^ ^abovejoinbetweentheinformationtable(s)andAAr 

» » - . ■» « « 55 * accomplished using the ACL codes 32, 38 (FIG. 2) as a 

Now referring to FIG. 3, the logic embodying portions of join key as indicated by line "join" in FIG. 5, and containing 

the above description can be seen. Commencing at block 50 a predicate to select rows from the AAT that are applicable 

an information table in the RDBMS 24 is defined to the IMS to the user and the intended operation. Thus, the information 

20 by a user and the system table updated at block 52. The table implicated in the query is joined with the Access 

information table remains unaccessible to users directly. 60 Authorization table as indicated in FIG. 5 to populate a view 

Moving to block 54, a relational database view is created tailored for a particular user. Accordingly, when a query is 

by joining the information table created at block 52 with the issued at block 68 by a user against the view, which 

Access Authorization Table (AAI), described more fully encapsulates the access control rules applicable to the user, 

below. The view, having incorporated access control rules the result of the query accounts for the IMS's access control! 

from the AAT, thus embodies both information and access 65 Consequently, with the IMS's access control rules folded 

control rules. Next, at block 56 the entire user community is adaptively into the view, there is no need for the RDBMS to 

authorized to use the view created at block 54. enforce access control rules explicitly. In other words in 
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contrast to conventional RDBMS systems, the present logic It is to be understood that when the triplets of attributes 

does not require special SQL statements to control informa- shown in FIG. 2 are used, the ALLOW( )»1 predicate set 

tion access. forth above can be replaced by a test for the existence, 

In one preferred embodiment, the view generation syntax among the collection of triplets (USERS, PRIVILEGES, 

when implementing access control on a row by row basis on 5 CONDITIONS) of a triplet that satisfies USR(USERs' 

an information table (a feature not provided in conventional USER)-! AND READ(PRIVILEGESW AND SATISFY 

systems) is as follows. (CONDITIONS)-l, where USR( ), READ( ), and 

CREATE VIEW R_ABC AS SAHSFY( ) are UDFs that respectively check whether the 

SELECT * FROM ABC user is authorized, whether the READ privilege is granted, 

WHERE OWN (OWNER, USER)=1 10 and whether any conditions are satisfied. 

OR Although the AAT is preferably precomputed as discussed 

ACL_CODE IN above, it can be determined at query time from the various 

(SELECT ACL_CODE FROM ACLTABLE system tables that pertain to access control. Moreover, as 

WHERE ALLOW (ACL, USER, «READ")=1); intended by the present invention the reusable view 

GRANT SELECT ON R_ABC TO PUBLIC; 15 described above can be materialized using DB2 Summary 

where Table capability or as a dependent table managed by the IMS 

ABC is a root-record table created by a user, containing 20. It can be materialized or refreshed as user logon, and can 

system attributes OWNER and ACL__CODE, USER is be evaluated either directly from the ACL table or indirectly 

a DB2 Special Register that contains the authorization from an intermediate view or Summary Table that contains 

ID for the current user, ACLTABLE is the access 20 lne ACL_Codes for all users. This intermediate table can be 

control list table shown in FIG. 2, OWN( ) is a refreshed when new rules are added, altered, or deleted, 

system-provided UDF on OWNER attribute, which Because access protection is checked by the UDF and not by 

checks whether a user is an owner, and ALLOW( ) is tne RDBMS, the UDF ALLOW( ) can use the user ID passed 

a system-provided UDF on ACL attribute, which a s a parameter instead of using the USER variable, such that 

checks whether a user has a certain privilege. 25 a "trusted application" (e.g., a http server) can operate under 

Although in this example access privilege on this gener- a sm gle RDBMS user ID on behalf of many system users, 

ated view R_ABC is granted to the public, it can instead be anc j can authenticate users and pass their IDs to the RDBMS. 

granted to selected users. Such users may further create allow s a reuse of RDBMS connections for different 

more restrictive views on this view and authorize other users user ^ as wel1 a s exploiting DB2's static query and statement 

to use the more restrictive views. 30 caching features for improved performance. 

The R_ABC view above is generated for use by all users ^ was mentioned above that in addition to providing 

on a root-record table ABC. access of root tables in the RDBMS, the system 10 supports 

The "OWN(OWNER,USER)-l" predicate is needed only access of dependent tables. This can be undertaken as 

if the owner privilege is enabled. Checking of the IMS follows, in which "DEF' is a dependent record table of root 

protection rules is undertaken by the UDF ALLOW( ), 35 table ^ c in lne context of IMS documents, OWN( ) is a 

which essentially encapsulates the ACL attribute of the ACL UDF > the sub-query "SELECT A.ENTITY_ID FROM 

table shown in FIG. 2. With this encapsulation, any protec- ABC" identifies the set of entity IDs (obtained from the root 

tion rules and models can be supported by the system 10, as records) such that the user is either an owner or READ- 

well as multiple models so long as the UDF ALLOW( ) is authorized user for these entities. An Entity-ID identifies a 

able to determine which model is applicable for the condi- 40 document, and is stored in every record of the document, 

tions. Furthermore, encapsulation also facilitates subsequent CREATE VIEW R__DEF AS 

protection extension or the addition of a new protection SELECT * FROM DEF 

model to extend the system 10, because such changes are WHERE ENTiTY_ID IN 

liShS* SSte^aSnr ^ r6preSen,a,i0D) ^ ta 45 ^^^^ ™ OM ^ * R * 

The sub-query SELECT ACL_CODE FROM WHERE OWNCA OWNER U<5Fm 1 no A»n 

ACLTABLE identifies the set of ACL codes that the current CODE-RACL ' CODEv' } 

user is authorized to read. The view masks/filters the table GRANT SELECT ON R DEF TO PI mr ir- 

according to the access control rules as applied to a given ZT„, A J? ■ ' 

user and to each respective record in the ^formation fabfe 50 J ^,1? *? 'f* t "7 '° ^""^ 

c In be ny Tn r ne preferred emb< r ent sub KpSKrs: ta " 

can be predefined as a separate view ReadAuthorization as rRFATF VlFW u yw ab 

follows, so that it can be reused by other view definitions and IT. fZZ »^ ™, ™* 

so that system performance is enhanced. stu-tl-I rKUM XYZ 

CREATE VIEW ReadAuthorization AS 5S WHERE 123 IN (SELECT ACL_CODE FROM 

SELECT ACL_CODE FROM ACLTABLE ReadAuthortzation); 

WHERE ALLOW(ACL, USER, "READ")«1; h GRANT SELECT 0N R ™ T0 PUBLIC ; 

CREATE VIEW R_ABC AS ™„ • ... 

SELECT * FROM ABC B 3 information entities, 123 is the ACL_ 

WHERE OWN fOWNFR USFRU1 6 ° ^ C ? DE ^ ntA t0 P rotect the table - 

WMbKb UWIN (OWNER, USER)-1 For heterogenous sets, set membership must be main- 

ACL CODE IN (SELECT Art ronP from f ° f eaCh ™ mbei ° f ,he 561 by ' e «- kee P in S ,he 

ntd a ,1, • C n ACL_CODE FROM contaming set entity ID in the root record or by storing it in 

ReadAuthonzation); a te taWe A view fc ^ genera ted usine the prin- 

GRANT SELECT ON R_ABC TO PUBLIC; 65 cip.es set forth above for generating set-"fws ? 

As known to the skilled artisan, there are alternate syntax It is to be understood thai in the above examples a 

that would create equivalent views. "READ" operation wasshown.but UPDATE operations can 



04/28/2004, EAST Version: 1.4.1 



US 6,581 

9 

also be undertaken using a U_ ACL view instead of an 
ReadAuthorization view. 

While the particular SYSTEM AND METHOD FOR 
RDBMS TO PROTECT RECORDS IN ACCORDANCE 
WITH NON-RDBMS ACCESS CONTROL RULES as 5 
herein shown and described in detail is fully capable of 
attaining the above-described objects of the invention, it is 
to be understood that it is the presently preferred embodi- 
ment of the present invention and is thus representative of 
the subject matter which is broadly contemplated by the 10 
present invention, that the scope of the present invention 
fully encompasses other embodiments which may become 
obvious to those skilled in the art, and that the scope of the 
present invention is accordingly to be limited by nothing 
other than the appended claims, in which reference to an is 
element in the singular is not intended to mean "one and 
only one" unless explicitly so stated, but rather "one or 
more". All structural and functional equivalents to the ele- 
ments of the above-described preferred embodiment that are 
known or later come to be known to those of ordinary skill 20 
in the art are expressly incorporated herein by reference and 
are intended to be encompassed by the present claims. 
Moreover, it is not necessary for a device or method to 
address each and every problem sought to be solved by the 
present invention, for it to be encompassed by the present 25 
claims. Furthermore, no element, component, or method 
step in the present disclosure is intended to be dedicated to 
the public regardless of whether the element, component, or 
method step is explicitly recited in the claims. No claim 
element herein is to be construed under the provisions of 35 30 
U.S.C. §112, sixth paragraph, unless the element is 
expressly recited using the phrase "means for" or, in the case 
of a method claim, the element is recited as a "step" instead 
of an "act". 

I claim: 35 

1. A data system including a server computer programmed 
to undertake method acts for responding to user queries for 
data from a database controlled by the server computer, the 
method acts undertaken by the server computer including: 

receiving a query; 40 
receiving an access control output from at least one 

algorithm from an information management system 

QMS); 

in response to the query and the access control output, 
populating a view for presentation thereof to the user, 45 
wherein the query is received from an application, the 
system includes a database management system 
(DBMS) hosting the view, and the application directly 
communicates with the DBMS. 

2. The system of claim 1, wherein the method acts further 50 
comprise: 

defining at least one view on at least one table in the 
database; 

executing a query against the view using at least the 55 

access control output; and 
returning the results of the query against the view. 

3. The system of claim 2, wherein the access control 
output is represented by at least one Access Authorization 
table, and the view is defined as a join between the Access 60 
Authorization table and the information table. 

4. The system of claim 3, wherein the tables are joined 
using a join key, and the join key is at least one access 
control code. 

5. The system of claim 4, wherein multiple rows of the 65 
information table are bound using respective multiple access 
control codes. 
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6. The system of claim 4, wherein all rows of the 
information table are bound using a single access control 
code. 

7. A method for enforcing at least one information man- 
agement system (IMS) access control rule in a data system 
including at least one application accessing at least one IMS 
associated with a database management system (DBMS), 
the application accessing the DBMS using at least one direct 
communication path bypassing the IMS, the method com- 
prising: 

receiving a specification for IMS data schema; 
generating a DBMS view in response to the specification, 
the view encapsulating the IMS access control rule; and 
presenting the view to a user via the direct communication 
path. 

8. The method of claim 7, further comprising: 
defining at least one view on at least one table controlled 

by the DBMS; 
executing a query against the view using at least the 

access control rule; and 
returning the results of the query against the view. 

9. The method of claim 8, wherein the access control rule 
is represented by at least one Access Authorization table, and 
the view is defined as a join between the Access Authori- 
zation table and the information table. 

10. The method of claim 9, wherein the tables are joined 
using a join key, and the join key is at least one access 
control code. 

11. The method of claim 10, wherein multiple rows of the 
information table are bound using respective multiple access 
control codes. 

12. The method of claim 10, wherein all rows of the 
information table are bound using a single access control 
code. 

13. A method for enforcing high level access control rules 
of an information management system (IMS) for an appli- 
cation directly communicating with a relational database 
management system (RDBMS) associated with the IMS, 
comprising: 

providing at least one Access Authorization table (AAT), 
the AAT containing data representing high level access 
control rules; 

providing at least one information table in the RDBMS; 
and 

in response to a query for data from the application, 
joining the AAT with at least one information table to 
return a result in accordance with at least one of the 
high level access control rules. 

14. The method of claim 13, further comprising: 
defining at least one view on at least one table controlled 

by the DBMS; 
executing a query against the view using at least the 

access control rule; and 
returning the results of the query against the view. 

15. The method of claim 14, wherein the tables are joined 
using a join key, and the join key is at least one access 
control code binding the information table to the access 
control rule. 

16. The method of claim 15, wherein multiple rows of the 
information table are bound using respective multiple access 
control codes. 

17. A data system including a server computer pro- 
grammed to undertake method acts for responding to user 
queries for data from a database controlled by the server 
computer, the method acts undertaken by the server com- 
puter including: 



04/28/2004, EAST Version: 1.4.1 



US 6,581,060 Bl 

11 12 

storing the database in a second system; 24. The system of claim 23, wherein the method acts 

maintaining access control specifications that restrict include: 

access to data, creating at least one RDBMS view by joining a data table 

T2i a t0 access data directly through the sec0Dd 5 with the first table> wherein the view can * used by the 

system, an user ^ ^ rect j v accessmg d ata 

in response to the direct access by the user, causing the „, . r . „ 

second system to enforce the access control specifica- 25 " ™ e syslem of cIaim 24 ' wherein lhe ™™ lncludes at 

tions without intervention from the data system. least one VDV 0D ^ first table > the UDF implementing the 

18. The system of claim 17, wherein the user is an data system's access control model. 

application. 26. The system of claim 24, wherein the view is created 

19. The system of claim 17, wherein the data system when the data table is created, 
supports a data model that is different from a data model ~- t, t c , . ~ a . . 

supported by the second system. 2T ^ system of claim ^ wherein resolutions of the 

20. The system of claim 17, wherein the data system , access coniTo1 sP^caUons are computed using the data 
supports a data model that is different from a data model system's access control model, and are stored in an access 
supported by the second system, whereby the access control authorization table (AAT) in the RDBMS. 
specifications are not directly enforceable by a native access 28. The system of claim 27, wherein at least one RDBMS 
control capability of the second system. view is created, the view is a join between a data table and 

21. The system of claim 17, wherein the second system is 2Q ^ AAT, and the view is used by a user for direct access to 
a database management system (DBMS). ^ 

22. The system of claim 21, wherein the second system is 

a relational database management system (RDBMS). 29 ^ svst eni of claim 28, wherein the view is created 

23. The system of claim 22, wherein the access control when me data table is created, 
specifications are stored in at least a first table in the 

RDBMS. * * * * * 
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